Adding new value for event.type:device

[ricardo-estc]

1. What does this PR do?

This PR adds a new value for event.category:device event.type:device. The new value would be used to categorize events related to peripheral devices connecting to, disconnecting from, or being managed by the host operating system. This enables security teams to monitor unauthorized device usage, track hardware inventory, enforce device policies, and detect potential security threats from malicious devices or data exfiltration attempts through removable storage.

Related issue: #2522

[github-actions]

Documentation changes preview: https://docs-v3-preview.elastic.dev/elastic/ecs/pull/2524/reference/

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[github-actions]

🔍 Preview links for changed docs

• docs/reference/ecs-allowed-values-event-type.md
• docs/reference/ecs-event.md

[cla-checker-service]

💚 CLA has been signed

[MikePaquette]

Have you considered proposing a new value for event.type instead? It too is an array, and should accommodate the proposed "device" allowed value.

I have two concerns with adding device as a new value for event.category.

1. For ECS users in general, it may cause confusion and diversion from event.category:host which is the preferred category for all host events. (FYI, when ECS was first defined, both "system" and "device" were considered before deciding on "host".)
2. It may be difficult to identify a device action when the event.category (array) contains both host and device, with an event.type value such as info. (i.e., Which is it - host info or device info?)

If instead we extend event.type to include a new allowed value of device, then an event that had:
event.kind: event
event.category:host
event.type: [device], [denied]
event.action: usb_storage_device_blocked

would be very clear that it took place on a host, and an attempt to install a device was blocked by the EDR.

[qcorporation]

Have you considered proposing a new value for event.type instead? It too is an array, and should accommodate the proposed "device" allowed value.

I have two concerns with adding device as a new value for event.category.

1. For ECS users in general, it may cause confusion and diversion from event.category:host which is the preferred category for all host events. (FYI, when ECS was first defined, both "system" and "device" were considered before deciding on "host".)
2. It may be difficult to identify a device action when the event.category (array) contains both host and device, with an event.type value such as info. (i.e., Which is it - host info or device info?)

If instead we extend event.type to include a new allowed value of device, then an event that had: event.kind: event event.category:host event.type: [device], [denied] event.action: usb_storage_device_blocked

would be very clear that it took place on a host, and an attempt to install a device was blocked by the EDR.

@MikePaquette this makes a lot of sense

@ricardo-estc do you think you can make the necessary changes based upon Mike's recommendations?

[ricardo-estc]

@MikePaquette @qcorporation done, please review the updated changes

[qcorporation]

LGTM

[MikePaquette]

Please close PR #2522
Please fix docs issue where "device" is not added to the list at the top

Otherwise, LGTM.

[ricardo-estc]

Updated docs @MikePaquette, thank you!